Refactor exercise_controller and move more checks to policy

* We introduce a custom handler for Pundit::NotAuthorizedError
2022-09-04 00:05:13 +02:00
parent 0de213b8c7
commit 49f4f0e6c5
4 changed files with 78 additions and 7 deletions
--- a/spec/controllers/exercises_controller_spec.rb
+++ b/spec/controllers/exercises_controller_spec.rb
@ -187,6 +187,17 @@ describe ExercisesController do
      expect_flash_message(:alert, :'exercises.implement.no_files')
      expect_redirect(:exercise)
    end
+
+    context 'with other users accessing an unpublished exercise' do
+      let(:exercise) { create(:fibonacci, unpublished: true) }
+      let(:user) { create(:teacher) }
+
+      before { perform_request.call }
+
+      expect_assigns(exercise: :exercise)
+      expect_flash_message(:alert, :'exercises.implement.unpublished')
+      expect_redirect(:exercise)
+    end
  end

  describe 'GET #index' do
@ -223,6 +234,8 @@ describe ExercisesController do

  describe 'GET #reload' do
    context 'when being anyone' do
+      let(:exercise) { create(:fibonacci) }
+
      before { get :reload, format: :json, params: {id: exercise.id} }

      expect_assigns(exercise: :exercise)
--- a/spec/policies/exercise_policy_spec.rb
+++ b/spec/policies/exercise_policy_spec.rb
@ -110,10 +110,54 @@ describe ExercisePolicy do
    end
  end

-  permissions :implement? do
-    it 'grants access to anyone' do
-      %i[admin external_user teacher].each do |factory_name|
-        expect(policy).to permit(build(factory_name), Exercise.new)
+  %i[implement? working_times? intervention? search? reload?].each do |action|
+    permissions(action) do
+      context 'when the exercise has no visible files' do
+        let(:exercise) { create(:dummy) }
+
+        it 'does not grant access to anyone' do
+          %i[admin external_user teacher].each do |factory_name|
+            expect(policy).not_to permit(build(factory_name), exercise)
+          end
+        end
+      end
+
+      context 'when the exercise has visible files' do
+        let(:exercise) { create(:fibonacci) }
+
+        it 'grants access to anyone' do
+          %i[admin external_user teacher].each do |factory_name|
+            expect(policy).to permit(build(factory_name), exercise)
+          end
+        end
+      end
+
+      context 'when the exercise is published' do
+        let(:exercise) { create(:fibonacci, unpublished: false) }
+
+        it 'grants access to anyone' do
+          %i[admin external_user teacher].each do |factory_name|
+            expect(policy).to permit(build(factory_name), exercise)
+          end
+        end
+      end
+
+      context 'when the exercise is unpublished' do
+        let(:exercise) { create(:fibonacci, unpublished: true) }
+
+        it 'grants access to admins' do
+          expect(policy).to permit(build(:admin), exercise)
+        end
+
+        it 'grants access to the author' do
+          expect(policy).to permit(exercise.author, exercise)
+        end
+
+        it 'does not grant access to everyone' do
+          %i[external_user teacher].each do |factory_name|
+            expect(policy).not_to permit(build(factory_name), exercise)
+          end
+        end
      end
    end
  end